The Schengen Information System (‘SIS’) set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders2 (the ‘Schengen Convention’), and its development, SIS 1+, constitute an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union.

The development of the second generation of SIS (‘SIS II’) has been entrusted to the Commission pursuant to Council Regulation (EC) No 2424/20013 and Council Decision 2001/886/JHA4 of 6 December 2001 on the development of the second generation Schengen Information System (SIS II). SIS II will replace SIS as created pursuant to the Schengen Convention.

This Regulation constitutes the necessary legislative basis for governing SIS II in respect of matters falling within the scope of the Treaty establishing the European Community (the ‘Treaty’). X1Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II)5 constitutes the necessary legislative basis for governing SIS II in respect of matters falling within the scope of the Treaty on European Union.

The fact that the legislative basis necessary for governing SIS II consists of separate instruments does not affect the principle that SIS II constitutes one single information system that should operate as such. Certain provisions of these instruments should therefore be identical.

SIS II should constitute a compensatory measure contributing to maintaining a high level of security within the area of freedom, security and justice of the European Union by supporting the implementation of policies linked to the movement of persons that are part of the Schengen acquis, as integrated into Title IV of Part Three of the Treaty.

It is necessary to specify the objectives of SIS II, its technical architecture and financing, to lay down rules concerning its operation and use and to define responsibilities, the categories of data to be entered into the system, the purposes for which the data are to be entered, the criteria for their entry, the authorities authorised to access the data, the interlinking of alerts and further rules on data processing and the protection of personal data.

SIS II is to include a central system (Central SIS II) and national applications. The expenditure involved in the operation of Central SIS II and related communication infrastructure should be charged to the general budget of the European Union.

It is necessary to establish a manual setting out the detailed rules for the exchange of certain supplementary information concerning the action called for by alerts. National authorities in each Member State should ensure the exchange of this information.

For a transitional period, the Commission should be responsible for the operational management of Central SIS II and of parts of the communication infrastructure. However, in order to ensure a smooth transition to SIS II, it may delegate some or all of these responsibilities to two national public sector bodies. In the long term, and following an impact assessment containing a substantive analysis of alternatives from a financial, operational and organisational perspective, and legislative proposals from the Commission, a management authority with responsibility for these tasks should be established. The transitional period should last for no more than five years from the date from which this Regulation applies.

SIS II is to contain alerts for the purpose of refusing entry or stay. It is necessary to further consider harmonising the provisions on the grounds for issuing alerts concerning third-country nationals for the purpose of refusing entry or stay and to clarifying their use in the framework of asylum, immigration and return policies. Therefore, the Commission should review, three years after the date from which this Regulation applies, the provisions on the objectives of and conditions for issuing alerts for the purpose of refusing entry or stay.

Alerts for the purpose of refusing entry or stay should not be kept longer in SIS II than the time required to fulfil the purposes for which they were supplied. As a general principle, they should be automatically erased from SIS II after a period of three years. Any decision to keep an alert for a longer period should be based on a comprehensive individual assessment. Member States should review these alerts within this three-year period and keep statistics about the number of alerts the retention period of which has been extended.

SIS II should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. In the same perspective SIS II should also allow for the processing of data concerning individuals whose identity has been misused in order to avoid inconveniences caused by their misidentification, subject to suitable safeguards, in particular the consent of the individual concerned and a strict limitation of the purposes for which such data can be lawfully processed.

It should be possible for Member States to establish links between alerts in SIS II. The establishment by a Member State of links between two or more alerts should have no impact on the action to be taken, their retention period or the access rights to the alerts.

Data processed in SIS II in application of this Regulation should not be transferred or made available to third countries or to international organisations.

Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data6 applies to the processing of personal data carried out in application of this Regulation. This includes the designation of the controller and the possibility for Member States to provide for exemptions and restrictions to some of the rights and obligations provided for in that Directive including the rights of access and information of the individual concerned. The principles set out in Directive 95/46/EC should be supplemented or clarified in this Regulation, where necessary.

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data7, and in particular the provisions thereof concerning confidentiality and security of processing, apply to the processing of personal data by the Community institutions or bodies when carrying out their responsibilities in the operational management of SIS II. The principles set out in Regulation (EC) No 45/2001 should be supplemented or clarified in this Regulation, where necessary.

Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of Officials of the European Communities and the conditions of employment of other servants of the European Communities should apply to officials or other servants employed and working in connection with SIS II.

It is appropriate that national supervisory authorities monitor the lawfulness of the processing of personal data by the Member States, whilst the European Data Protection Supervisor, appointed pursuant to Decision 2004/55/EC of the European Parliament and of the Council of 22 December 2003 appointing the independent supervisory body provided for in Article 286 of the EC Treaty8, should monitor the activities of the Community institutions and bodies in relation to the processing of personal data in view of the limited tasks of the Community institutions and bodies with regard to the data themselves.

Both the Member States and the Commission should draw up a security plan in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.

In order to ensure transparency, a report on the technical functioning of Central SIS II and the communication infrastructure, including its security, and on the exchange of supplementary information should be produced every two years by the Commission or, when it is established, the management authority. An overall evaluation should be issued by the Commission every four years.

Certain aspects of SIS II, such as technical rules on entering data, including data required for entering an alert, updating, deleting and searching data, rules on compatibility and priority of alerts, links between alerts and the exchange of supplementary information cannot, owing to their technical nature, level of detail and need for regular updating, be covered exhaustively by the provisions of this Regulation. Implementing powers in respect of those aspects should therefore be delegated to the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications. Subject to an impact assessment by the Commission, it should be decided to what extent the implementing measures could be the responsibility of the management authority, once it is set up.

The measures necessary for the implementation of this Regulation should be adopted in accordance with Council Decision 1999/468/EC of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission9.

It is appropriate to lay down transitional provisions in respect of alerts issued in SIS 1+ which are to be transferred to SIS II. Some provisions of the Schengen acquis should continue to apply for a limited period of time until the Member States have examined the compatibility of those alerts with the new legal framework. The compatibility of alerts on persons should be examined as a matter of priority. Furthermore, any modification, addition, correction or update of an alert transferred from SIS 1+ to SIS II, as well as any hit on such an alert, should trigger an immediate examination of its compatibility with the provisions of this Regulation.

It is necessary to lay down specific provisions regarding the part of the budget earmarked for operations of SIS which is not part of the general budget of the European Union.

Since the objectives of the action to be taken, namely the establishment and regulation of a joint information system, cannot be sufficiently achieved by the Member States and can therefore, by reason of the scale and effects of the action, be better achieved at Community level, the Community may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve those objectives.

This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union.

In accordance with Articles 1 and 2 of the Protocol on the position of Denmark annexed to the Treaty on European Union and the Treaty establishing the European Community, Denmark does not take part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis under the provisions of Title IV of Part Three of the Treaty, Denmark shall, in accordance with Article 5 of the said Protocol, decide within a period of six months after date of the adoption of this Regulation whether it will transpose it in its national law.

This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis10. The United Kingdom is therefore not taking part in its adoption and is not bound by it or subject to its application.

This Regulation constitutes a development of provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis11. Ireland is therefore not taking part in its adoption and is not bound by it or subject to its application.

This Regulation is without prejudice to the arrangements for the United Kingdom's and Ireland's partial participation in the Schengen acquis as defined in Decision 2000/365/EC and Decision 2002/192/EC respectively.

As regards Iceland and Norway, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis12, which fall within the area referred to in Article 1, point G, of Council Decision 1999/437/EC of 17 May 199913 on certain arrangements for the application of that Agreement.

An arrangement should be made to allow representatives of Iceland and Norway to be associated with the work of committees assisting the Commission in the exercise of its implementing powers. Such an arrangement has been contemplated in the Exchanges of Letters between the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning committees which assist the European Commission in the exercise of its executive powers14, annexed to the abovementioned Agreement.

As regards Switzerland, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement signed between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis, which fall within the area referred to in Article 1, point G, of Decision 1999/437/EC read in conjunction with Article 4(1) of Council Decisions 2004/849/EC15 and 2004/860/EC16.

An arrangement should be made to allow representatives of Switzerland to be associated with the work of committees assisting the Commission in the exercise of its implementing powers. Such an arrangement has been contemplated in the Exchange of Letters between the Community and Switzerland, annexed to the abovementioned Agreement.

This Regulation constitutes an act building on the Schengen acquis or otherwise related to it within the meaning of Article 3(2) of the 2003 Act of Accession.

This Regulation should apply to the United Kingdom and Ireland on dates determined in accordance with the procedures set out in the relevant instruments concerning the application of the Schengen acquis to those States,